Microsoft Uncovers Vulnerability in Google Chrome Plug-in for IE

Microsoft uncovers a vulnerability in a controversial Google plug-in for Internet Explorer that could be exploited to bypass cross-origin protections. Google patched the issue this week in an update.

Microsoft researchers uncovered
a flaw in the Google Chrome Frame plug-in for users of Internet Explorer.
According to Google, which
patched the problem Nov. 18 with an update, the vulnerability could be
exploited to bypass cross-origin protections.

The plug-in-which injects
Google Chrome's rendering engine into Internet Explorer-has been a source
of controversy between Microsoft and Google in the past. In September,
Microsoft warned that the plug-in made IE less secure, not due to any specific
vulnerability, but rather the very idea of the plug-in itself.

"Given the security issues
with plug-ins in general and Google Chrome in particular, Google Chrome Frame
running as a plug-in has doubled the attack area for malware and malicious
scripts," a Microsoft spokesperson said at the time. "This is not a risk we
would recommend our friends and families take."
Google defended its actions,
stating that the plug-in brought Chrome's
Web technologies to IE. Crediting Microsoft with finding the recent issue,
Google noted that the vulnerability does not permit "persistent malware to
infect a user's machine." The company said it is unaware of any exploitation of
the issue.
The plug-in update also
fixes several common crashes and a handful of other bugs.